All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [ access_vectors patch 1/2] Add access vectors: audit_access, read_policy.
@ 2011-02-14 20:43 Dominick Grift
  2011-02-16 17:43 ` Stephen Smalley
  0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2011-02-14 20:43 UTC (permalink / raw)
  To: refpolicy

I guess read_policy is a permissive required together with read_file_perms for /selinux/policy. What audit_access actually does i do not know. Also i re-ordered execmod and open because currently it was not complete.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 0ef9b12... 1966443... M	policy/flask/access_vectors
 policy/flask/access_vectors |   18 ++++--------------
 1 files changed, 4 insertions(+), 14 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 0ef9b12..1966443 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -27,6 +27,9 @@ common file
 	swapon
 	quotaon
 	mounton
+	audit_access
+	open
+	execmod
 }
 
 
@@ -152,7 +155,6 @@ inherits file
 	reparent
 	search
 	rmdir
-	open
 }
 
 class file
@@ -160,8 +162,6 @@ inherits file
 {
 	execute_no_trans
 	entrypoint
-	execmod
-	open
 }
 
 class lnk_file
@@ -172,27 +172,16 @@ inherits file
 {
 	execute_no_trans
 	entrypoint
-	execmod
-	open
 }
 
 class blk_file
 inherits file
-{
-	open
-}
 
 class sock_file
 inherits file
-{
-	open
-}
 
 class fifo_file
 inherits file
-{
-	open
-}
 
 class fd
 {
@@ -363,6 +352,7 @@ class security
 	setbool
 	setsecparam
 	setcheckreqprot
+	read_policy
 }
 
 
-- 
1.7.4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110214/4436a879/attachment.bin 

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [refpolicy] [ access_vectors patch 1/2] Add access vectors: audit_access, read_policy.
  2011-02-14 20:43 [refpolicy] [ access_vectors patch 1/2] Add access vectors: audit_access, read_policy Dominick Grift
@ 2011-02-16 17:43 ` Stephen Smalley
  2011-02-16 17:49   ` Dominick Grift
  0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2011-02-16 17:43 UTC (permalink / raw)
  To: refpolicy

On Mon, 2011-02-14 at 21:43 +0100, Dominick Grift wrote:
> I guess read_policy is a permissive required together with read_file_perms for /selinux/policy. What audit_access actually does i do not know. Also i re-ordered execmod and open because currently it was not complete.
> 
> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 0ef9b12... 1966443... M	policy/flask/access_vectors
>  policy/flask/access_vectors |   18 ++++--------------
>  1 files changed, 4 insertions(+), 14 deletions(-)
> 
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index 0ef9b12..1966443 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -27,6 +27,9 @@ common file
>  	swapon
>  	quotaon
>  	mounton
> +	audit_access
> +	open
> +	execmod
>  }

You can't insert permissions into the common definition without
perturbing the permission values for subsequent permissions in the
per-class definitions.  That isn't a problem for recent kernels with
dynamic class/permission mapping support, but it will break
compatibility for older kernels.  What you can do instead is to add new
permissions, like audit_access, to the end of each per-file class, and
then kernels with the dynamic class/perm mapping support will
transparently map the values.

>  
> 
> @@ -152,7 +155,6 @@ inherits file
>  	reparent
>  	search
>  	rmdir
> -	open
>  }

Likewise you can't move or remove permissions from kernel classes
without breaking old kernels.

>  
>  class file
> @@ -160,8 +162,6 @@ inherits file
>  {
>  	execute_no_trans
>  	entrypoint
> -	execmod
> -	open
>  }
>  
>  class lnk_file
> @@ -172,27 +172,16 @@ inherits file
>  {
>  	execute_no_trans
>  	entrypoint
> -	execmod
> -	open
>  }
>  
>  class blk_file
>  inherits file
> -{
> -	open
> -}
>  
>  class sock_file
>  inherits file
> -{
> -	open
> -}
>  
>  class fifo_file
>  inherits file
> -{
> -	open
> -}
>  
>  class fd
>  {
> @@ -363,6 +352,7 @@ class security
>  	setbool
>  	setsecparam
>  	setcheckreqprot
> +	read_policy
>  }
>  
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Stephen Smalley
National Security Agency

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] [ access_vectors patch 1/2] Add access vectors: audit_access, read_policy.
  2011-02-16 17:43 ` Stephen Smalley
@ 2011-02-16 17:49   ` Dominick Grift
  2011-02-16 17:50     ` Eric Paris
  0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2011-02-16 17:49 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/16/2011 06:43 PM, Stephen Smalley wrote:

> 
> You can't insert permissions into the common definition without
> perturbing the permission values for subsequent permissions in the
> per-class definitions.  That isn't a problem for recent kernels with
> dynamic class/permission mapping support, but it will break
> compatibility for older kernels.  What you can do instead is to add new
> permissions, like audit_access, to the end of each per-file class, and
> then kernels with the dynamic class/perm mapping support will
> transparently map the values.
> 

Thanks for the clarification, was wondering already about why it was
added the way it was. Issue with execmod, open permission in refpolicy
is that its not added to all classes that support it currently.

I guess i will submit a retry.

>>  
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1cDjoACgkQMlxVo39jgT/AtwCcCmU8Fq7rVHCpYzwvYItUs/Il
w6wAn1orGBMblcXOHCGXLsnUBESU9x8t
=pJYW
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] [ access_vectors patch 1/2] Add access vectors: audit_access, read_policy.
  2011-02-16 17:49   ` Dominick Grift
@ 2011-02-16 17:50     ` Eric Paris
  0 siblings, 0 replies; 4+ messages in thread
From: Eric Paris @ 2011-02-16 17:50 UTC (permalink / raw)
  To: refpolicy

On Wed, Feb 16, 2011 at 12:49 PM, Dominick Grift <domg472@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/16/2011 06:43 PM, Stephen Smalley wrote:
>
>>
>> You can't insert permissions into the common definition without
>> perturbing the permission values for subsequent permissions in the
>> per-class definitions. ?That isn't a problem for recent kernels with
>> dynamic class/permission mapping support, but it will break
>> compatibility for older kernels. ?What you can do instead is to add new
>> permissions, like audit_access, to the end of each per-file class, and
>> then kernels with the dynamic class/perm mapping support will
>> transparently map the values.
>>
>
> Thanks for the clarification, was wondering already about why it was
> added the way it was. Issue with execmod, open permission in refpolicy
> is that its not added to all classes that support it currently.
>
> I guess i will submit a retry.

I know dan has a patch in rawhide that does it right....

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2011-02-16 17:50 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-14 20:43 [refpolicy] [ access_vectors patch 1/2] Add access vectors: audit_access, read_policy Dominick Grift
2011-02-16 17:43 ` Stephen Smalley
2011-02-16 17:49   ` Dominick Grift
2011-02-16 17:50     ` Eric Paris

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.